Nicholas Byrne wrote:
Hi,
With FDS 1.0.2, I've followed the configuration howto guide lines to
setup the Directory Server to use SSL (as per my post a few days ago)
however after configuring the Administration Server and Console to use
SSL as well i've run into trouble. The directory server alone works
fine with SSL.
The reason i'm trying to get Admin and console working in SSL is so i
can setup a secure windows sync agreement, without this all i can do
is setup a insecure sync agreement.
But you don't have to get Admin and console
working with SSL in order to
set up a windows sync agreement with SSL. Do the docs say you have to
do this? If so, where?
The console will not display anything (absolutely no screen or
anything) after entering password and clicking OK in the
authentication dialog. There are no messages in the console i started
it on.
startconsole -D will give you debug information, and startconsole -D 9
will give you everything.
Before i configured the SSL on the admin server and console it was
working correctly and displayed the normal Admin server/Directory
Server screens.
The console which i'm running using (i also tried admin user):
startconsole -u "cn=Directory Manager" -a
https://ds01.tech:59910 -x
nologo
I turned loglevel to debug in the admin server and this is what i see:
[Tue Nov 28 14:22:46 2006] [info] Connection to child 30 established
(server ds01.tech:443, client 10.170.99.22)
[Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22]
admserv_host_ip_check: ap_get_remote_host could not resolve 10.170.99.22
[Tue Nov 28 14:22:47 2006] [info] Initial (No.1) HTTPS request
received for child 30 (server ds01.tech:443)
[Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2518): [client
10.170.99.22] checking user cache for: cn=Directory Manager
[Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(2525): [client
10.170.99.22] not in cache, trying DS
[Tue Nov 28 14:22:47 2006] [debug] mod_admserv.c(1480): [client
10.170.99.22] admserv_check_authz: request for uri
[/admin-serv/authenticate]
[Tue Nov 28 14:22:47 2006] [notice] [client 10.170.99.22]
admserv_check_authz(): passing [/admin-serv/authenticate] to the
userauth handler
[Tue Nov 28 14:22:47 2006] [info] Connection to child 30 closed
(server ds01.tech:443, client 10.170.99.22)
This looks ok, except for the log shows
port 443 and you are using port
59910.
In the slapd log i see:
[28/Nov/2006:14:22:46 +0000] conn=51 fd=65 slot=65 SSL connection from
10.170.99.22 to 10.103.20.21
[28/Nov/2006:14:22:46 +0000] conn=51 SSL 128-bit RC4
[28/Nov/2006:14:22:46 +0000] conn=51 op=0 BIND dn="cn=Directory
Manager" method=128 version=3
[28/Nov/2006:14:22:46 +0000] conn=51 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"
This looks like the
/admin-serv/authenticate request as logged in the
admin server.
[28/Nov/2006:14:22:46 +0000] conn=52 fd=64 slot=64 SSL connection
from
10.170.99.22 to 10.103.20.21
[28/Nov/2006:14:32:04 +0000] conn=52 op=-1 fd=64 closed - Encountered
end of file.
This looks like the console is attempting to use ldap on the ldaps
port. I think you need to tell the console to use SSL when talking to
this directory server -
http://directory.fedora.redhat.com/wiki/Howto:SSL#Using_the_command_line
Anyone know how i can fix this? Thanks very much
Nick
This e-mail is the property of Quadriga Worldwide Ltd, intended for
the addressee only and confidential. Any dissemination, copying or
distribution of this message or any attachments is strictly prohibited.
If you have received this message in error, please notify us
immediately by replying to the message and deleting it from your
computer.
Messages sent to and from Quadriga may be monitored.
Quadriga cannot guarantee any message delivery method is secure or
error-free. Information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses.
We do not accept responsibility for any errors or omissions in this
message and/or attachment that arise as a result of transmission.
You should carry out your own virus checks before opening any attachment.
Any views or opinions presented are solely those of the author and do
not necessarily represent those of Quadriga.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users